cellphone and mobile device forensics an update on concepts presented by peter l. fryer ace, cfe,...
TRANSCRIPT
Cellphone and Mobile Device Forensics
An update on concepts
Presented by Peter L. Fryer ACE, CFE, CISA, MPSC
Pencils Out Please!
Find the evidenceFind the evidence
Abstract – Mobile device forensic analysis is the current area in which the extraction, analysis and review of data collected from mobile devices is addressed.
Current analysis trends include but are not limited to evidence collection, behaviour analysis and the detection of malware/ spyware on mobile devices.
This presentation will provide clarity on forensic techniques and malware detection .
Problem Statement
Mobile devices form part of the battlefield on Internet based crime.
Mobile devices now form an integral part of society and manages how we interact with our community.
Nomophobia
Nomophobia - Nomophobia is the fear of being out of mobile phone contact.
53% of users polled became anxious when their phones had no signal, low battery or was off.The average distance that polled users where during the day from their handset rarely exceeded 1.5m
Source - wikipedia
Mobile Device ForensicsWidely used since 2002Effective court tested methodologyCollection, extraction and analysis of data on mobile devices
THEN
NOW
Cell Phones – what is out there?
GSM – 4 Operators - 41 million subscribers in South Africa (approx. 87% of the population)
Worldwide: Approx 5 + Billion Subscribers (including 3G, WCDMA, HSPDA)
source: gsmworld.com
GSM Network Operators: Vodacom (largest provider approx. 21 million subscribers)
MTN – Mobile Telephone Networks Cell-C
Telkom – 8.ta
Concept – Cellphone Forensics
Windows Apple
Linux
COMPUTER FORENSICS – Operating Systems
MOBILE – Operating Systems
What information can we expect in a mobile phone handset?
Contacts
Calls (dialled, missed, received)
Text Messages
Multimedia Messages
Drafts
Pictures, Audio and Video Images
E-mail, Browser History,
Tasks / Notes / Calendars
Application Files
Maps, GPS Locations visited
Time & Dates
Extraction MethodologiesCable, Bluetooth (pairing) and IRChip Off - volatileRecovery of logical data as well as deleted informationDeleted data includes:– SMS– Call logs– Files– Systems Files
Data CacheWiFi connections, Internet Usage, Keyboard Cache and App Usage
WiFi ConnectionsApplication Name Longitude Latitude Time Type
Consolidated Database (Apple) Wi-Fi MAC=0:21:4:a0:b9:d8 18.84172952 -34.114995122011/09/01 06:51:58 PM UTC (Device) Wi-Fi
Consolidated Database (Apple) Wi-Fi MAC=94:44:52:f:77:19 18.84171432 -34.114984982011/09/01 06:51:58 PM UTC (Device) Wi-Fi
Consolidated Database (Apple) Wi-Fi MAC=0:60:b3:a4:64:87 18.84170436 -34.114963822011/09/01 06:51:58 PM UTC (Device) Wi-Fi
Consolidated Database (Apple) Wi-Fi MAC=0:19:cb:3c:b8:3c 18.84180319 -34.115011812011/09/01 06:51:58 PM UTC (Device) Wi-Fi
Consolidated Database (Apple) Wi-Fi MAC=0:19:70:14:12:14 18.84193527 -34.114993092011/09/01 06:51:58 PM UTC (Device) Wi-Fi
Consolidated Database (Apple) Wi-Fi MAC=0:4:ed:b9:33:13 18.84194082 -34.114684872011/09/01 06:51:58 PM UTC (Device) Wi-Fi
Consolidated Database (Apple) Wi-Fi MAC=d8:5d:4c:b2:3:c8 18.84307813 -34.114101292011/09/01 06:51:58 PM UTC (Device) Wi-Fi
Consolidated Database (Apple) Wi-Fi MAC=0:4:ed:da:6f:a2 18.84195852 -34.11341192011/09/01 06:51:58 PM UTC (Device) Wi-Fi
Consolidated Database (Apple) Wi-Fi MAC=0:30:a:eb:2d:bf 18.84289234 -34.113678812011/09/01 06:51:58 PM UTC (Device) Wi-Fi
Consolidated Database (Apple) Wi-Fi MAC=0:13:f7:3e:5a:60 18.84248417 -34.113207572011/09/01 06:51:58 PM UTC (Device) Wi-Fi
Consolidated Database (Apple) Wi-Fi MAC=0:60:b3:4f:34:30 18.84235602 -34.113016242011/09/01 06:51:58 PM UTC (Device) Wi-Fi
GPS Co-ordinates
Internet UsageApplication Web Address Page Title
Access Count Accessed
Safari (Apple) http://www.beeld.com/Sport/Rugby 2 2011/09/07 05:44:38 AM UTC (Device)Safari (Apple) http://www.beeld.com/Suid-Afrika 2 2011/09/07 05:35:08 AM UTC (Device)Safari (Apple)
http://www.beeld.com/Sport/Rugby/Die-Bok-spel-gevaar-Wallis-20110904
Dié Bok spel gevaar – Wallis: Beeld: Sport: Rugby 1 2011/09/06 06:05:17 AM UTC (Device)
Safari (Apple) http://192.168.65.54/?screenWidth=768 Enigma PDA Web Interface 1 2011/09/06 05:25:51 PM UTC (Device)Safari (Apple) http://www.rapport.co.za/ Rapport 1 2011/09/06 06:07:54 AM UTC (Device)Safari (Apple) http://192.168.65.54/ Enigma Web Interface 1 2011/09/06 05:25:50 PM UTC (Device)Safari (Apple) http://www.rapport.co.za/Suid-Afrika 1 2011/09/06 06:25:00 AM UTC (Device)Safari (Apple)
http://www.beeld.com/Suid-Afrika/Nuus/1-sterf-2-erg-beseer-in-kettingbotsing-op-N1-20110905
1 sterf, 2 erg beseer in kettingbotsing op N1: Beeld: Suid-Afrika: Nuus 1 2011/09/06 05:57:46 AM UTC (Device)
Safari (Apple)
http://www.beeld.com/Suid-Afrika/Nuus/Van-geskors-tot-in-ander-hoe-pos-20110905
Van geskors tot in ander hoë pos: Beeld: Suid-Afrika: Nuus 1 2011/09/06 05:55:35 AM UTC (Device)
Safari (Apple)
http://www.beeld.com/Suid-Afrika/Nuus/Pil-soos-Simply-Slim-nou-te-kry-20110905
Pil ‘soos Simply Slim’ nou te kry: Beeld: Suid-Afrika: Nuus 1 2011/09/06 05:52:56 AM UTC (Device)
Safari (Apple)
http://www.beeld.com/Wereld/Nuus/Mugabe-sterf-in-2013-20110904
Mugabe ‘sterf in 2013’: Beeld: Wêreld: Nuus 1 2011/09/06 06:01:28 AM UTC (Device)
Safari (Apple) http://www.beeld.com/Wereld 1 2011/09/06 06:01:18 AM UTC (Device)Safari (Apple)
http://www.beeld.com/Suid-Afrika/Nuus/Mandela-ongeluk-Moord-klag-verander-20110905
Mandela-ongeluk: Moord-klag verander: Beeld: Suid-Afrika: Nuus 1 2011/09/06 06:00:12 AM UTC (Device)
Safari (Apple) http://192.168.65.54:16001/ CCcam info pages 1 2011/09/06 05:26:16 PM UTC (Device)Safari (Apple)
http://www.beeld.com/Suid-Afrika/Nuus/Bloedwater-versuur-die-lewe-van-sakemanne-20110906
Bloedwater versuur die lewe van sakemanne: Beeld: Suid-Afrika: Nuus 1 2011/09/07 05:39:32 AM UTC (Device)
Keyboard CacheText
KikisystemscomrexmaxloadmaxcommmaratonmyadslmytvmotogponsoljullejKpklkmkkiipllljkkllkkkkkkjnjjjbbbhgmkanskxhhmtukllkkpkkklkjkjgegeegumtreegbvgggggvvzapasscodeqqxqqnsnnnmnnnbggvbbvvvrvvvxzbvbeeldvbvbbabsa
Password
App UsageApplication: com.apple.mobilesafari Application: com.iber4.dodgemcarsTime: 2011/08/14 UTC (Device) Time: 2011/08/16 UTC (Device)Duration: 00:08:18 Duration: 00:00:00Access Count: 9 Access Count: 8
Application: com.iber4.dodgemcars Application: com.hackulo.us.installousTime: 2011/08/18 UTC (Device) Time: 2011/08/21 UTC (Device)Duration: 00:00:00 Duration: 00:33:25Access Count: 9 Access Count: 8
Application: com.hackulo.us.installous Application: com.apple.mobileipod-VideoPlayerTime: 2011/08/15 UTC (Device) Time: 2011/08/15 UTC (Device)Duration: 00:50:08 Duration: 01:07:05Access Count: 9 Access Count: 8
Application: com.RockingPocketGames.iFishingSE Application: com.outfit7.talkingbirdipadTime: 2011/08/21 UTC (Device) Time: 2011/09/03 UTC (Device)Duration: 00:56:59 Duration: 00:30:26Access Count: 8 Access Count: 7
Application: com.ea.candcra.inc Application: com.hackulo.us.installousTime: 2011/08/13 UTC (Device) Time: 2011/08/28 UTC (Device)Duration: 00:17:33 Duration: 00:19:27Access Count: 8 Access Count: 7
Application: com.apple.Preferences Application: com.hackulo.us.installousTime: 2011/08/08 UTC (Device) Time: 2011/08/22 UTC (Device)Duration: 00:00:49 Duration: 01:11:07Access Count: 8 Access Count: 7
Application: com.compumasterltd.poolrebelTime: 2011/08/25 UTC (Device)Duration: 00:34:07Access Count: 7
Fun Fone Facts
Physical Recovery
8GB of useful data retrieved using “chip off” techniques
Concept – Malware/ Spyware
Mobile Device VulnerabilitiesMobile Phones have three vulnerabilities
1. Interception2. Monitoring3. Command and Control
InterceptionNetworkOff air (passive)Spyware
MonitorApp usageMalware/ SpywareCollection
Command and ControlDeploy as a BOTEscalate user privilegesPremium service subscription
Malware – what we know
Majority of malware deploymentsinclude social engineering
Deployment on two levelsLevel I
Physical deployment
Level IISocial engineering (phishing)
Deployment
Physical Access– Flash disk– Link to web download– Override user privileges
Social Engineering– Refer to web download (games, banking app)– Spoofed login to collect credentials
Malware
Malware – Designed to exploit security– Trigger data costs (premium SMS/ data services)– Accelerate user privileges– Phones act BOTS for malicious attacks– Allows for remote control of device
Spyware
Spyware– Deployed to compromise user created
information– Covert interception and monitoring– Collect communications and data– Collect credentials (two factor authentication)• OTP• Password Reset Info
Detection of Malware and Spyware
Behaviour analysis of deviceData usage trackingApp identification and loggingDeploy content management toolsEnforce local security policiesSystem file analysis
Challenges for infosec practitioners
Mobile devices fall into the BYOD class– Behind firewall deployment of threats
Mobile devices differ drastically– No single tool to manage and audit devices
No single detection methodology– Multi platform approach to detection (expensive)
Difficult to monitor (form part of a closed network)– Devices not part of local network
No alert functionality on Mobile device– Apps installed as trusted
What we need to know
• Consult the experts
Defence Strategy
Review user privilegesInstall only trusted appsMaintain physical security of deviceReview data usageNo “rooting” or “jailbreaking”
Research - spyware
Applications and software purchasedFile system analysedDeployed to several phones– Sony Ericsson– Samsung– Blackberry– Nokia
Spyware Tested/ Reviewed
Killer Mobile – Tra v4.1Eblaster Mobile editionMobileSpy IESpy BubbleCell-Tracker Pro
ObservationsTools effective for capturing mainly text based dataSlows device response to user promptsBattery drain extensiveVisual triggers– Data usage– Device activity– BB Log
Concept Overview
Cellphone and Mobile Devices are to be included as primary evidence sources Reliable evidence recovery from mobile devicesDetection methodologies exist for spyware and malware deploymentsAccredited experts available locally
FAQ
Is my phone bugged?How am I tracked by using my cellphone?Can I tell if my phone is bugged?Can you recover deleted messages and data from my phone?What is the safest phone in terms of defence against spyware?